[ https://issues.apache.org/jira/browse/NUTCH-2786?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Md Mahir Asef Kabir updated NUTCH-2786: --------------------------------------- Description: * *Vulnerability Description:* In “src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java” overridden TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) do not have validation logic for certificates. * *Reason it’s vulnerable:* It is vulnerable because DummyX509TrustManager implements X509TrustManager and it overrides the standard TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) to do nothing but returning hard-coded *true*. Certificate validation is expected to be handled by these methods. Doing nothing means no verification. * *Suggested Fix:* Adding necessary certificate verification logic in the overridden methods. This is an example code showing a format that can be used and modified appropriately to implement the certificate validation logic - https://paste.ubuntu.com/p/jWtH2yTNR8/ . * *Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion - # Liked it and will make the suggested changes # Liked it but happy with the existing version # Didn’t find the suggestion helpful was: * *Vulnerability Description:* In “src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java” overridden TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) do not have validation logic for certificates. * *Reason it’s vulnerable:* It is vulnerable because DummyX509TrustManager implements X509TrustManager and it overrides the standard TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) to do nothing but returning hard-coded *true*. Certificate validation is expected to be handled by these methods. Doing nothing means no verification. * *Suggested Fix:* Adding necessary certificate verification logic in the overridden methods. * *Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion - # Liked it and will make the suggested changes # Liked it but happy with the existing version # Didn’t find the suggestion helpful > TrustManager methods do not have certificate validation logic > ------------------------------------------------------------- > > Key: NUTCH-2786 > URL: https://issues.apache.org/jira/browse/NUTCH-2786 > Project: Nutch > Issue Type: Improvement > Components: plugin, protocol > Affects Versions: 1.16 > Reporter: Md Mahir Asef Kabir > Priority: Major > Fix For: 1.18 > > > * *Vulnerability Description:* In > “src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java” > overridden TrustManager methods (i.e. checkClientTrusted and > checkServerTrusted) do not have validation logic for certificates. > * *Reason it’s vulnerable:* It is vulnerable because DummyX509TrustManager > implements X509TrustManager and it overrides the standard TrustManager > methods (i.e. checkClientTrusted and checkServerTrusted) to do nothing but > returning hard-coded *true*. Certificate validation is expected to be handled > by these methods. Doing nothing means no verification. > * *Suggested Fix:* Adding necessary certificate verification logic in the > overridden methods. This is an example code showing a format that can be used > and modified appropriately to implement the certificate validation logic - > https://paste.ubuntu.com/p/jWtH2yTNR8/ . > * *Feedback:* Please select any of the options down below to help us get an > idea about how you felt about the suggestion - > # Liked it and will make the suggested changes > # Liked it but happy with the existing version > # Didn’t find the suggestion helpful -- This message was sent by Atlassian Jira (v8.3.4#803005)